[Bug 1829562] Re: [Needs Packaging] DPF-Plugins for Eoan

Thomas Ward teward at thomas-ward.net
Thu Jun 27 01:44:25 UTC 2019


FOR THE RECORD: I've been taking my time working on this review for
about a week now, so as not to overwork vs. the other work I do outside
Ubuntu.

Static Code Analysis Tools Results (CodeWarrior)

Static code analysis of the C/C++ driven files present shows some TOCTOU
risk and potential command injection but the command injection doesn't
*appear* to be actually command injection in the manner it suggests
(therefore code injection is a false-positive match).  TOCTOU risks are
potentially present in how it handles "Time of check" vs. "Time of use"
of searched files, but that's an upstream issue and as it has other
mechanisms to handle such errors written into the code around the
potential TOCTOU violations, I don't believe there's a major code issue
blocking inclusion of the plugins.

------

Packaging Review:

* Copyright file is mostly complete, but it seems there are some
redundant overlaps, possibly because of multiple licenses being used.

* Rules file looks clean.

* Install files look clean.

* debian/control specifically with package descriptors of built binaries
needs some work, in my opinion:

 - ALL packages share the same description.  This includes the
metapackage and -common, and may lead to some confusion if someone is
not in the know about what each package specifically provides (and if
they are only reading package descriptions).  Therefore, the short AND
long descriptions could use some tweaking to provide a simple one-line
description in the description about the specifics of what each package
does.  This may be me being overly specific, but adding that extra
little bit into the description would go a long way to making this more
acceptable.  Specifics below.

 - As dsp-plugins-{lv2, ladspa, etc.} all provide *specific formats* of
the packaged plugins, it is my belief each of those packages should in
turn include a description that they contain those specific packaging
formats of those packages for use in their corresponding compatible
software that can use those formats of the same plugins.  This includes
in the short description (you could add " (LV2 format)" to the end of
the -lv2 package for example.

 - The -common package should contain something to indicate it contains
files common across *all* the varying packaged formats of the plugins.

 - The metapackage does not detail that it pulls in all packaged flavors
of the same plugins.  A simple description stating this about the
metapackage would be preferable,


While it may not be directly blocking sponsorship regarding the lacking of these slightly extra descriptive lines in the package descriptions, I would prefer to see them in the specific 'packaging' formats of the plugins packages and the common package.

** Changed in: ubuntu
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1829562

Title:
  [Needs Packaging] DPF-Plugins for Eoan

Status in DPF Plugins:
  In Progress
Status in Ubuntu Studio:
  In Progress
Status in Ubuntu:
  Incomplete

Bug description:
  From the project:

   Collection of DPF-based audio plugins in LADSPA, DSSI, LV2 and VST2 formats.
   .
   The list of plugins/packs are:
    - glBars
    - Kars
    - Mini-Series (3BandEQ, 3BandSplitter, PingPongPan)
    - ndc-Plugs (Amplitude Imposer, Cycle Shifter, Soul Force)
    - MVerb
    - Nekobi
    - ProM

  These are audio plugins for audio plugin hosts such as Carla, or a
  Digital Audio Workstation (DAW) such as Ardour.

  Package is ready for MOTU upload to Eoan.\

  Code at https://code.launchpad.net/dpf-plugins
  Build at https://code.launchpad.net/~ubuntustudio-dev/+archive/ubuntu/autobuild

To manage notifications about this bug go to:
https://bugs.launchpad.net/dpf-plugins/+bug/1829562/+subscriptions



More information about the Ubuntu-sponsors mailing list